You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vulnerability #1: GO-2026-4337
Unexpected session resumption in crypto/tls
More info: https://pkg.go.dev/vuln/GO-2026-4337
Standard library
Found in: crypto/tls@go1.25.6
Fixed in: crypto/tls@go1.25.7
Example traces found:
Error: #1: prometheus/prometheus.go:39:13: prometheus.Init calls sync.Once.Do, which eventually calls tls.Conn.Handshake
Error: #2: pprof/pprof.go:66:33: pprof.StartProfilingHTTPServer calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext
Error: #3: bridgeservice/client/client.go:368:29: client.Client.doRequest calls io.ReadAll, which eventually calls tls.Conn.Read
Error: #4: version.go:20:13: aggkit.PrintVersion calls fmt.Fprintf, which calls tls.Conn.Write
Error: #5: bridgeservice/client/client.go:362:30: client.Client.doRequest calls http.Client.Do, which eventually calls tls.Dialer.DialContext
Your code is affected by 1 vulnerability from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
Gather context: Review PR changes against develop branch
Examine modified files for consistency
Verify Go version upgrade is applied correctly across all files
Check for potential issues or improvements
Provide structured review feedback
🚀 What's New
This PR upgrades Go from version 1.25.6 to 1.25.7 to address a critical security vulnerability (GO-2026-4337) in the crypto/tls standard library package. The vulnerability involves unexpected session resumption in TLS connections. The version bump is consistently applied across all GitHub Actions workflows, the Dockerfile, and go.mod.
🐛 Bug Fixes
None - This is purely a security patch upgrade.
📋 Config Updates
go.mod: go 1.25.6 → go 1.25.7 (line 3)
Dockerfile: FROM golang:1.25.6-alpine → FROM golang:1.25.7-alpine (line 4)
GitHub Workflows: All workflow files updated to use Go 1.25.7:
🟢 Consistent Version Updates: The Go version has been correctly updated across all 7 files. No missed locations.
🟢 Security Fix: Addresses a legitimate security vulnerability in the Go standard library's TLS implementation. The govulncheck workflow shows it passed successfully, confirming the vulnerability is resolved.
🟢 Minimal Scope: This PR correctly focuses only on the version bump without introducing unrelated changes.
🟢 Clear Documentation: The PR description includes the vulnerability details and example traces, making it easy to understand the reason for the upgrade.
🔍 Observations
🟡 Title Typo: The PR title contains a typo: "vunerability" should be "vulnerability"
🟡 CI Status: Current CI checks are running:
✅ Go Vulnerability Check - PASSED (confirming the fix works)
⏳ CodeQL, Lint, Unit Tests, E2E Tests - IN PROGRESS
🎯 Recommendations
🟡 Optional: Fix title typo - Consider updating the PR title to fix the spelling of "vulnerability"
🟢 Wait for CI - All critical workflows are in progress. Wait for them to complete before merging to ensure the version bump doesn't introduce any unexpected issues.
✨ Final Verdict
Status: ✅ APPROVED (pending CI completion)
This is a straightforward and necessary security patch. The implementation is correct with consistent version updates across all configuration files. The govulncheck workflow has already passed, confirming the vulnerability is resolved.
Priority Level: 🔴 Required - This addresses a security vulnerability in the standard library and should be merged once CI checks pass.
Recommendation: Merge this PR after CI workflows complete successfully.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
joanestebanr
changed the title
🔄 Changes Summary
Bump go to 1.25.7